You need to create policies that deny access to the anonymous user. You can do this either with the web.xml file within the .war file or with Access Manager policies. In Access Manager, you deny access to the anonymous user by creating an authorization policy that denies access to anyone who has not been assigned the authenticated role. Anonymous users who haven’t authenticated do not have this role, and users who have authenticated to Access Manager are automatically assigned this role.
If you have pages that call Enterprise JavaBeans that are protected, you should assign a policy to these pages that denies access to users who have not authenticated.
If you have WebSphere applications already deployed when you installed the J2EE Agent, you need to run the wsadmin tool to update the agent with the security policies of the applications. For more information about updating a security policy, see Propagating a Security Policy.
An Enterprise JavaBean deployment descriptor can state that an Enterprise JavaBean must run with a particular role. The the sample application (PayrollApp.ear) includes such a statement in its descriptor:
<security-identity> <run-as> <role-name>Manager</role-name> </run-as> </security-identity>
Without configuring WebSphere to map a RunAs role to a user, WebSphere ignores this statement. If a user is mapped to a RunAs role, the agent cannot know which J2EE roles the user has unless the role is also mapped.
To configure mapping for RunAs roles, complete the following during WebSphere deployment:
Map the user or group to J2EE roles. This is Step 7 of the deployment process.
The J2EE Agent uses this mapping to discover which role a user or a user's group belongs to.
Map a RunAs role to a user. This is Step 8 of the deployment process.
The WebSphere server uses this mapping to assign a user to execute an Enterprise JavaBeans method.